A data breach incident involving the LockBit ransomware gang and a major provider of US government-subsidized medical care has resolved in about the worst way possible, with the sensitive personal information of nearly nine million patients dumped to the public via the threat group’s leaks site.
Managed Care of North America (MCNA) Dental provides services to recipients of Medicaid and those enrolled in the CHIP children’s health program, and the organization says that it has contacted all of those that it has good contact information for. The stolen information may have varied by participant, but some highly sensitive information was included among some of the records, including Social Security numbers and details about medical treatments.
LockBit ransomware refuses to go away, reverses course on “no attacking children” policy
In April the LockBit ransomware gang backpedaled on an affiliate’s attack on an Illinois school district, apologizing and offering a free decryption key due to the fact that children were disproportionately impacted. That policy appears to have changed, with CHIP information among what was taken from the data breach and dumped to the public. While LockBit is no longer the most active group (as it was for much of 2022), it is still going strong and has recently expanded its custom toolset to include ransomware that targets MacOS.
The LockBit ransomware gang is also far from the only hacking group showing an increased interest in health care organizations, which were previously not a priority target. Hackers are zeroing in on patient care due to the records packed with useful personal information, and the fact that few in the industry can afford substantial downtime without putting lives and health at risk.
This information is so valuable that victims have to ask hard questions about whether the attacker can really be trusted to delete it if paid off; MCNA appeared to feel that a ransom payment was pointless in this case, with the information ultimately being released to the public about a month after the data breach. This calculation is an increasingly important one for the health care industry as its members assess ongoing cyber risk and budget for deterrents and recovery systems accordingly.
Data breach ends with 700 GB of stolen information leaked to public
For a period of about a month, from early February to early March, the data breach window was open and the LockBit ransomware gang was able to steal hundreds of gigabytes of patient information. There may have been another month of negotiations or payment demands made of MCNA, before the stolen data was dumped in early April. Though it was available via the leak site for nearly two months, the general public was not notified of the data breach until May 26.
At this time the total victim count is 8,923,662. Medicaid and CHIP recipients are naturally among this count, but it also includes parents, guardians and guarantors. The information stolen in the data breach may vary by individual but could include Social Security numbers, treatment details, insurance claims, bills, and driver’s license numbers. MCNA is offering 12 months of free credit report monitoring to victims.